A Geek’s Guide to the NSA Scandal: What You May Not Know About Data Collection

posted by Charles Johnson
-
3 years ago

The domestic surveillance scandals deserve serious discussion, but unfortunately there’s a lot of misinterpretation and misinformation flowing through the mediasphere. I believe it’s driven by misunderstanding of technical issues as well as a phenomenon known as confirmation bias. The result smacks of paranoid fear-mongering inside a cloud of unknowing instead of a clear-eyed search for the truth.

First, a confession: I’m what’s known as a “nerd.” Possibly also a “geek.” In addition to a musical background, I’ve been programming computers for more than 20 years, before beginning my LittleGreenFootballs.com blog. So from a technical angle, there were some things about the media coverage of the NSA spying case that set off warning bells for me from the start.

This was the opening paragraph of the Guardian’s first report on the PRISM PowerPoint slides they obtained from Edward Snowden (a similar claim was made by the Washington Post):

The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian.

Now, that’s how to get a nerd’s attention! “Direct access” to the servers of every top Internet company, reading all the email and Internet communications of every American citizen? That would be quite a bombshell indeed—not to mention a prodigious technical feat.

But almost immediately I realized that “direct access” could (and probably did) mean something much more limited than the indiscriminate snooping suggested. Here’s the actual wording of the slide in question:

PRISM – Collection directly from the servers of these U.S. Service Providers…

Without getting too technical, in Web technology a very common technique when files need to be exchanged between users is to set up something known as a “sandboxed FTP directory.” This is a special directory that can be accessed only with a username and password; it does not allow the user to see anything else on the server, only the contents of that one directory. There are other ways to achieve this same end, and this kind of sandboxed system, which would allow the feds to log in and pick up whatever was placed there for them, seemed much more believable than the NSA having free access to rummage around on the tech companies’ servers.